Facebook: What If...?

9:58 AM

Note: none of these hunches have been tested and I have no idea if they really work.

Status Update takeover

First, in https://www.facebook.com/pageusername/settings?tab=mobile Facebook gives away an email address to share a status update remotely, for pages. If you know that email, you can upload anyfile to that *special* email from *any* email and you would get a status file upload in your page.

Forexample say my email is pXy251wiggly@m.facebook.com which is very very very predictable to guess, and emailing to pXy251wiggly@m.facebook.com would result my page having a status update.

Since my name is Paulos Yibelo (pXy) and 251 (my country code) wiggly (a random english dictionary word), and I have changed it to a custom one, don't try it. :P but no, the *predictablity* of the email isn't what I am trying to talk about.

the mail id, there are always 12 in char, if not changed customely. (which is unlikely), and if you notice, they only have small letters and numbers in their ID. and half the word is a dictionary, using this we can construct a recursional automated script to find the email, but note, we can find lots of emails in the process of finding the one we want, random once. but the testing part is the sucker one, we need either zombies or a kickass bulk-mail program, since the domain have no SPF record, it really does not matter who is sending it.

If the above script runs, it will have all the possible combination of emails facebook (will ever) have, which is rising. now we can multi-thread the processes and fasten the process, again and again.

Note: there is a low probability of finding a large amount of *acutal* emails. thanks to automation and kickass processing, it is possible.

Yes, its less practical. But, let's assume the 7b people around the globe have accounts. Assume I already run that script and have the same database of users Facebook will ever have in a public database file. Assume i got 9 billion zombie/botnets that generally massmail 100 mails in a second, thats 9^10*100 in a second of sending emails. Generally assume all these zombies mail those in the public database programmed to multi-thread so the process succeeds in clean way. Now in my theory, if succed, its less a month to mail all Facebook Page accounts. :)

So the flaw here is to overdrive the ID by creating a username with an
upcoming or already existing (but no username) having account. Meaning if forexample there is a guy with an id 009834234, (not real) meaning he can access his account via.

This is actually weird - I was looking up writingelites prices and I wasn't even thinking of any code right now though I needed some tips on one. And then I decided to drop by here, just without any purpose and the first post I read contains the exact code I needed. Thank you for reading my mind! :)

About Paulos

I am currently specializing in application security and client side offensive exploit research. I really enjoy breaking things. I occasionally do bug bounties, with notable references such as Coinbase, Facebook,Twitter& more.